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Abstract 


The United States Government has published the National Security Agency's Commercial 
National Security Algorithm (CNSA) Suite, which defines cryptographic algorithm policy for 
national security applications. This document specifies the conventions for using the United 
States National Security Agency's CNSA Suite algorithms in Internet Protocol Security (IPsec). It 
applies to the capabilities, configuration, and operation of all components of US National 
Security Systems (described in NIST Special Publication 800-59) that employ IPsec. This document 
is also appropriate for all other US Government systems that process high-value information. It is 
made publicly available for use by developers and operators of these and any other system 
deployments. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is published for informational 
purposes. 


This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor 
has chosen to publish this document at its discretion and makes no statement about its value for 
implementation or deployment. Documents approved for publication by the RFC Editor are not 
candidates for any level of Internet Standard; see Section 2 of RFC 7841. 


Information about the current status of this document, any errata, and howto provide feedback 
on it may be obtained at https://www.rfc-editor.org/info/rfc9206. 
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Copyright Notice 


Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights 
reserved. 


This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF 
Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this 
document. Please review these documents carefully, as they describe your rights and restrictions 
with respect to this document. 
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1. Introduction 


This document specifies the conventions for using the United States National Security Agency's 
(NSA's) Commercial National Security Algorithm (CNSA) Suite algorithms [CNSA] in Internet 
Protocol Security (IPsec). It defines CNSA-based User Interface suites ("UI suites") describing sets 
of security configurations for Internet Key Exchange Protocol Version 2 (IKEv2) and IP 
Encapsulating Security Payload (ESP) protocol use, and specifies certain other constraints with 
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respect to algorithm selection and configuration. It applies to the capabilities, configuration, and 
operation of all components of US National Security Systems (described in NIST Special 
Publication 800-59 [SP80059]) that employ IPsec. This document is also appropriate for all other US 
Government systems that process high-value information. It is made publicly available for use by 
developers and operators of these and any other system deployments. 


The reader is assumed to have familiarity with the following: 


* "IP Encapsulating Security Payload (ESP)" [RFC4303] 


e "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) 
Profile" [RFC5280] 


e "Internet Key Exchange Protocol Version 2 (IKEv2)" [RFC7296] 


* "Cryptographic Algorithm Implementation Requirements and Usage Guidance for 
Encapsulating Security Payload (ESP) and Authentication Header (AH)" [RFC8221] 


* "Commercial National Security Algorithm (CNSA) Suite Certificate and Certificate Revocation 
List (CRL) Profile" [RFC8603] 


2. Terminology 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", 
"RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be 
interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 
capitals, as shown here. 


AES refers to the Advanced Encryption Standard. ECDSA and ECDH refer to the use of the Elliptic 
Curve Digital Signature Algorithm (ECDSA) and Elliptic Curve Diffie-Hellman (ECDH), respectively. 
DH refers to Diffie-Hellman key establishment. RSA refers to an RSA signature. 


3. The Commercial National Security Algorithm Suite 


The NSA profiles commercial cryptographic algorithms and protocols as part of its mission to 
support secure, interoperable communications for US Government National Security Systems. To 
this end, it publishes guidance to both (1) assist with the US Government transition to new 
algorithms and (2) provide vendors -- and the Internet community in general -- with information 
concerning their proper use and configuration. 


Recently, cryptographic transition plans have become overshadowed by the prospect of the 
development of a cryptographically relevant quantum computer. The NSA has established the 
Commercial National Security Algorithm (CNSA) Suite to provide vendors and IT users near-term 
flexibility in meeting their information assurance interoperability requirements. The purpose 
behind this flexibility is to avoid vendors and customers making two major transitions ina 
relatively short timeframe, as we anticipate a need to shift to quantum-resistant cryptography in 
the near future. 
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The NSA is authoring a set of RFCs, including this one, to provide updated guidance concerning 
the use of certain commonly available commercial algorithms in IETF protocols. These RFCs can 
be used in conjunction with other RFCs and cryptographic guidance (e.g., NIST Special 
Publications) to properly protect Internet traffic and data-at-rest for US Government National 
Security Systems. 


4. CNSA-Compliant IPsec Overview 


CNSA-compliant implementations for IPsec MUST use IKEv2 [RFC7296]. 


Implementing a CNSA-compliant IPsec system requires cryptographic algorithm selection for 
both the IKEv2 and ESP protocols. The following CNSA requirements apply to IPsec: 


Encryption: 
AES [FIPS197] (with key size 256 bits) 
Digital Signature: 


ECDSA [FIPS186] (using the NIST P-384 elliptic curve) 
RSA [FIPS186] (with a modulus of 3072 bits or larger) 


Key Establishment: 


ECDH [SP80056A] (using the NIST P-384 elliptic curve) 
DH [RFC3526] (with a prime modulus of 3072 or larger) 


To facilitate selection of appropriate combinations of compliant algorithms, this document 
provides CNSA-compliant User Interface suites (UI suites) [RFC4308] to implement IPsec on 
National Security Systems. 


The approved CNSA hash function for all purposes is SHA-384, as defined in [FIPS180]. However, 
PRF_HMAC_SHA_512 is specified for the IKEv2 Pseudorandom Function (PRF) instead of 
PRF_HMAC_SHA_384, due to availability. See Section 8 below. 


For CNSA Suite applications, public key certificates MUST be compliant with the CNSA Suite 
Certificate and CRL Profile specified in [RFC8603]. 


Under certain conditions, such as applications having long-lived data-protection requirements, 
systems that do not comply with the requirements of this document are acceptable; see Section 
iz. 


5. IPsec User Interface Suites 


User Interface (UI) suites [RFC4308] are named suites that cover some typical security policy 
options for IPsec. Use of UI suites does not change the IPsec protocol in any way. The following UI 
suites provide cryptographic algorithm choices for ESP [RFC4303] and for IKEv2 [RFC7296]. The 
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selection of a UI suite will depend on the key exchange algorithm. The suite names indicate the 
Advanced Encryption Standard [FIPS197] mode, AES key length specified for encryption, and the 
key exchange algorithm. 


Although RSA is also a CNSA-approved key establishment algorithm, only DH and ECDH are 
specified for key exchange in IKEv2 [RFC7296]. RSA in IPsec is used only for digital signatures. See 
Section 6. 


ESP requires negotiation of both a confidentiality algorithm and an integrity algorithm. However, 
algorithms for Authenticated Encryption with Associated Data (AEAD) [RFC5116] do not require a 
separate integrity algorithm to be negotiated. In particular, since AES-GCM is an AEAD algorithm, 
ESP implementing AES-GCM MUST either offer no integrity algorithm or indicate the single 
integrity algorithm NONE (see Section 3.3 of [RFC7296]). 


To be CNSA compliant, IPsec implementations that use the following UI suites MUST use the suite 
names listed below. IPsec implementations SHOULD NOT use names different than those listed 
here for the suites that are described and MUST NOT use the names listed here for suites that do 
not match these values. These requirements are necessary for interoperability. 


Transform names are as listed in the IANA "Internet Key Exchange Version 2 (IKEv2) Parameters" 
registry. Definitions of the transforms are contained in the references specified in that registry. 


Other UI suites may be acceptable for CNSA compliance. See Section 8 for details. 
5.1. Suite CNSA-GCM-256-ECDH-384 


ESP SA: 
Encryption: ENCR_AES_GCM_16 (with key size 256 bits) 
Integrity: NONE 

IKEv2 SA: 
Encryption: ENCR_AES_GCM_16 (with key size 256 bits) 
PRF: PRF_HMAC SHA2 512 
Integrity: NONE 
Diffie-Hellman group: 384-bit random ECP group 


5.2. Suite CNSA-GCM-256-DH-3072 


ESP SA: 
Encryption: ENCR_AES_GCM_16 (with key size 256 bits) 
Integrity: NONE 

IKEv2 SA: 
Encryption: ENCR_AES_GCM_16 (with key size 256 bits) 
PRF: PRF_HMAC SHA2 512 
Integrity: NONE 
Diffie-Hellman group: 3072-bit MODP group 
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5.3. Suite CNSA-GCM-256-DH-4096 


ESP SA: 
Encryption: ENCR_AES_GCM_16 (with key size 256 bits) 
Integrity: NONE 

IKEv2 SA: 
Encryption: ENCR_AES_GCM_16 (with key size 256 bits) 
PRF: PRF_HMAC SHA2_ 512 
Integrity: NONE 
Diffie-Hellman group: 4096-bit MODP group 


6. IKEv2 Authentication 


Authentication of the IKEv2 Security Association (SA) requires computation of a digital signature. 
To be CNSA compliant, digital signatures MUST be generated with SHA-384 as defined in [RFC8017] 
together with either ECDSA-384 as defined in [RFC4754] or RSA with 3072-bit or greater modulus. 
(For applications with long data-protection requirements, somewhat different rules apply; see 
Section 12.) 


Initiators and responders MUST be able to verify ECDSA-384 signatures and MUST be able to verify 
RSA with 3072-bit or 4096-bit modulus and SHA-384 signatures. 


For CNSA-compliant systems, authentication methods other than ECDSA-384 or RSA MUST NOT be 
accepted for IKEv2 authentication. A 3072-bit modulus or larger MUST be used for RSA. If the 
relying party receives a message signed with any authentication method other than an 
ECDSA-384 or RSA signature, it MUST return an AUTHENTICATION_FAILED notification and stop 
processing the message. If the relying party receives a message signed with RSA using less than a 
3072-bit modulus, it MUST return an AUTHENTICATION_FAILED notification and stop processing 
the message. 


7. Certificates 


To be CNSA compliant, the initiator and responder MUST use X.509 certificates that comply with 
[RFC8603]. Peer authentication decisions must be based on the Subject or Subject Alternative 
Name from the certificate that contains the key used to validate the signature in the 
Authentication Payload as defined in Section 3.8 of [RFC7296], rather than the Identification Data 
from the Identification Payload that is used to look up policy. 
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8. IKEv2 Security Associations (SAs) 


Section 5 specifies three UI suites for ESP and IKEv2 Security Associations. All three use AES-GCM 
for encryption but differ in the key exchange algorithm. Galois/Counter Mode (GCM) [RFC4106] 
combines counter (CTR) mode witha secure, parallelizable, and efficient authentication 
mechanism. Since AES-GCM is an AEAD algorithm, ESP implements AES-GCM with no additional 
integrity algorithm (see Section 3.3 of [RFC7296]). 


An initiator proposal SHOULD be constructed from one or more of the following suites: 


e CNSA-GCM-256-ECDH-384 
e CNSA-GCM-256-DH-3072 
e CNSA-GCM-256-DH-4096 


A responder SHOULD accept proposals constructed from at least one of the three named suites. 
Other UI suites may result in acceptable proposals (such as those based on 
PRF_HMAC_SHA2_384); however, these are provided to promote interoperability. 


Nonce construction for AES-GCM using a misuse-resistant technique [RFC8452] conforms with the 
requirements of this document and MAY be used if a Federal Information Processing Standard 
(FIPS) validated implementation is available. 


The named UI suites specify PRF_HMAC_SHA2_512 for the IKEv2 SA PRF transform, as 
PRF_HMAC_SHA2_384is not listed among required PRF transforms in [RFC8247]; therefore, 
implementation of the latter is likely to be scarce. The security level of PRF_HMAC_SHA2_512is 
comparable, and the difference in performance is negligible. However, SHA-384 is the official 
CNSA algorithm for computing a condensed representation of information. Therefore, the 
PRF_HMAC_SHA2_384 transform is CNSA compliant if it is available to the initiator and 
responder. Any PRF transform other than PRF_HMAC_SHA2_384 or PRF_HMAC_SHA2_512 MUST 
NOT be used. 


If none of the proposals offered by the initiator consist solely of transforms based on CNSA 
algorithms (such as those in the UI suites defined in Section 5), the responder MUST return a 
Notify payload with the error NO_PROPOSAL_CHOSEN when operating in CNSA-compliant mode. 


9. The Key Exchange Payload in the IKE_SA_INIT Exchange 


The key exchange payload is used to exchange Diffie-Hellman public numbers as part of a Diffie- 
Hellman key exchange. The CNSA-compliant initiator and responder MUST each generate an 
ephemeral key pair to be used in the key exchange. 


If the Elliptic Curve Diffie-Hellman (ECDH) key exchange is selected for the SA, the initiator and 
responder both MUST generate an elliptic curve (EC) key pair using the P-384 elliptic curve. The 
ephemeral public keys MUST be stored in the key exchange payload as described in [RFC5903]. 
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If the Diffie-Hellman (DH) key exchange is selected for the SA, the initiator and responder both 
MUST generate a key pair using the appropriately sized MODP group as described in [RFC3526]. 
The size of the MODP group will be determined by the selection of either a 3072-bit or greater 
modulus for the SA. 


10. Generating Key Material for the IKE SA 


As noted in Section 7 of [RFC5903], the shared secret result of an ECDH key exchange is the 384-bit 
x value of the ECDH common value. The shared secret result of a DH key exchange is the number 
of octets needed to accommodate the prime (e.g., 384 octets for 3072-bit MODP group) with 
leading zeros as necessary, as described in Section 2.1.2 of [RFC2631]. 


IKEv2 allows for the reuse of Diffie-Hellman private keys; see Section 2.12 of [RFC7296]. However, 
there are security concerns related to this practice. Section 5.6.3.3 of [SP80056A] states that an 
ephemeral private key MUST be used in exactly one key establishment transaction and MUST be 
destroyed (zeroized) as soon as possible. Section 5.8 of [SP80056A] states that any shared secret 
derived from key establishment MUST be destroyed (zeroized) immediately after its use. CNSA- 
compliant IPsec systems MUST follow the mandates in [SP80056A]. 


11. Additional Requirements 
The IPsec protocol AH MUST NOT be used in CNSA-compliant implementations. 


A Diffie-Hellman group MAY be negotiated for a Child SA as described in Section 1.3 of [RFC7296], 
allowing peers to employ Diffie-Hellman in the CREATE_CHILD_SA exchange. If a transform of 
type 4 is specified for an SA for ESP, the value of that transform MUST match the value of the 
transform used by the IKEv2 SA. 


Per [RFC7296], if a CREATE_CHILD_SA exchange includes a KEi payload, at least one of the SA 
offers MUST include the Diffie-Hellman group of the KEi. For CNSA-compliant IPsec 
implementations, the Diffie-Hellman group of the KEi MUST use the same group used in the 
IKE_INIT_SA. 


For IKEv2, rekeying of the CREATE_CHILD_SA MUST be supported by both parties. The initiator of 
this exchange MAY include a new Diffie-Hellman key; if it is included, it MUST use the same group 
used in the IKE_INIT_SA. If the initiator of the exchange includes a Diffie-Hellman key, the 
responder MUST include a Diffie-Hellman key, and it MUST use the same group. 


For CNSA-compliant systems, the IKEv2 authentication method MUST use an end-entity certificate 
provided by the authenticating party. Identification Payloads (IDi and IDr) in the IKE_AUTH 
exchanges MUST NOT be used for the IKEv2 authentication method but may be used for policy 
lookup. 


The administrative User Interface (UI) for a system that conforms to this profile MUST allow the 
operator to specify a single suite. If only one suite is specified in the administrative UI, the IKEv2 
implementation MUST only offer algorithms for that one suite. 
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The administrative UI MAY allow the operator to specify more than one suite; if it allows this, it 
MUST allow the operator to specify a preferred order for the suites that are to be offered or 
accepted. If more than one suite is specified in the administrative UI, the IKEv2 implementation 
MUST only offer algorithms of those suites. (Note that although this document does not define a UI 
suite specifying PRF_HMAC_SHA2_ 384, a proposal containing such a transform is CNSA 
compliant.) 


12. Guidance for Applications with Long Data-Protection 
Requirements 


The CNSA mandate is to continue to use current algorithms with increased security parameters, 
then transition to approved post-quantum resilient algorithms when they are identified. 
However, some applications have data-in-transit-protection requirements that are long enough 
that post-quantum resilient protection must be provided now. Lacking approved asymmetric 
post-quantum resilient confidentiality algorithms, that means approved symmetric techniques 
must be used as described in this section until approved post-quantum resilient asymmetric 
algorithms are identified. 


For new applications, confidentiality and integrity requirements from the sections above MUST 
be followed, with the addition of a Pre-Shared Key (PSK) mixed in as defined in [RFC8784]. 


Installations currently using IKEv1 with PSKs MUST (1) use AES in cipher block chaining mode 
(AES-CBC) in conjunction with a CNSA-compliant integrity algorithm (e.g., 
AUTH_HMAC SHA2 384 192) and (2) transition to IKEv2 with PSKs [RFC8784] as soon as 
implementations become available. 


Specific guidance for systems not compliant with the requirements of this document, including 
non-GCM modes and PSK length, and PSK randomness, will be defined in solution-specific 
requirements appropriate to the application. Details of those requirements will depend on the 
program under which the commercial National Security Systems solution is developed (e.g., an 
NSA Commercial Solutions for Classified Capability Package). 


13. Security Considerations 


This document inherits all of the security considerations of the IPsec and IKEv2 documents, 
including [RFC7296], [RFC4303], [RFC4754], and [RFC8221]. 


The security of a system that uses cryptography depends on both the strength of the 
cryptographic algorithms chosen and the strength of the keys used with those algorithms. The 
security also depends on the engineering and administration of the protocol used by the system 
to ensure that there are no non-cryptographic ways to bypass the security of the overall system. 


When selecting a mode for the AES encryption [RFC5116], be aware that nonce reuse can result in 
a loss of confidentiality. Nonce reuse is catastrophic for GCM, since it also results in a loss of 
integrity. 
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14. IANA Considerations 


IANA has added the UI suites defined in this document to the "Cryptographic Suites for IKEv1, 
IKEv2, and IPsec" registry located at <https://www.iana.org/assignments/crypto-suites>: 


Identifier Reference 
CNSA-GCM-256-ECDH-384 RFC 9206 
CNSA-GCM-256-DH-3072 RFC 9206 


CNSA-GCM-256-DH-4096 RFC 9206 
Table 1 
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